diff options
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/36us-ate-ny-email.txt | 34 | ||||
| -rw-r--r-- | scripts/36us-ate-ny-mail.php.txt | 109 | ||||
| -rw-r--r-- | scripts/DumpWeakCerts.pl | 179 | ||||
| -rw-r--r-- | scripts/mail-weak-keys.php | 161 | ||||
| -rw-r--r-- | scripts/perl_mysql.sample | 6 |
5 files changed, 489 insertions, 0 deletions
diff --git a/scripts/36us-ate-ny-email.txt b/scripts/36us-ate-ny-email.txt new file mode 100644 index 0000000..6cd1ef1 --- /dev/null +++ b/scripts/36us-ate-ny-email.txt @@ -0,0 +1,34 @@ +CAcert Assurer Training Event -- New York / Rutgers / Piscataway, NJ
+::::::::::::::::::::::::::::::::::::::::::::::::::
+
+Dear Member of the CAcert Community,
+
+Much has happened during recent years. The old way of orally-transmitted procedures has now gone, and our rules have been cast into formal policies. New procedures (e.g. the Assurer Challenge) and obligations (e.g. in the CAcert Community Agreement) have been approved.
+
+The Assurer Training Events bring all this to you, the Assurer, and the Community:
+
+- What do you have to add onto the CAP form if you assure minors ?
+- What are the 2 essential CCA points you have to present an Assuree ?
+- Who can access the Member's privacy information?
+
+Answers to these and many other questions typically faced by Assurers are given at the Assurer Training Events (ATEs). Bring your ID for assurances. Especially note that Tverify/Thawte people need to boost up their Assurance Points.
+
+ATE-NY takes place at:
+* Monday, June 20th, 2011
+* Rutgers Department of Computer Science, Piscataway, NJ
+* 1pm - 4pm
+
+For Registration please reply: 'I will attend ATE-NY'
+
+Don't forget your ID!
+
+We are looking forward to hearing from you.
+
+
+- Best regards from the Event Team!
+
+
+PS: Contact: events@cacert.org
+Location, Transportation and other event details at
+[https://wiki.cacert.org/Events/20110620ATE-NewYork]
+
diff --git a/scripts/36us-ate-ny-mail.php.txt b/scripts/36us-ate-ny-mail.php.txt new file mode 100644 index 0000000..1f75bb1 --- /dev/null +++ b/scripts/36us-ate-ny-mail.php.txt @@ -0,0 +1,109 @@ +#!/usr/bin/php -q +<? /* + LibreSSL - CAcert web application + Copyright (C) 2004-2009 CAcert Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +*/ + include_once("../includes/mysql.php"); + + $lines = ""; + $fp = fopen("36us-ate-ny-email.txt", "r"); + while(!feof($fp)) + { + $line = trim(fgets($fp, 4096)); + $lines .= wordwrap($line, 75, "\n")."\n"; + } + fclose($fp); + + +// $locid = intval($_REQUEST['location']); +// $maxdist = intval($_REQUEST['maxdist']); +// maxdist in [Km] + $maxdist = 200; + + +// location location.ID +// verified: 29.4.09 u.schroeter +// $locid = 7902857; // Paris +// $locid = 238568; // Bielefeld +// $locid = 715191; // Hamburg +// $locid = 1102495; // London +// $locid = 520340; // Duesseldorf +// $locid = 1260319; // Muenchen +// $locid = 606058; // Frankfurt +// $locid = 1775784; // Stuttgart +// $locid = 228950; // Berlin +// $locid = 606058; // Frankfurt +// $locid = 599389; // Flensburg +// $locid = 61065; // Amsterdam, Eemnes +// $locid = 228950; // Berlin +// $locid = 2138880; // Baltimore (Baltimore (city)), Maryland, US +// $locid = 1486658; // Potsdam +// $locid = 664715; // Goteborg, Vastra Gotaland, Sweden +// $locid = 2094781; // Mission Hills (Los Angeles), California, US +// $locid = 423655; // Copenhagen, Kobenhavn*, Denmark +// $locid = 2257312; // Sydney, New South Wales, Australia +// $locid = 572764; // Essen, Nordrhein-Westfalen, Germany +// $locid = 78; // Aachen, Nordrhein-Westfalen, Germany +// $locid = 266635; // Bonn, Nordrhein-Westfalen, Germany + +// ATE Washington DC, US, Jun 18th 2011 +// $locid = 2102723; // Washington (District of Columbia, ..., US +// $eventname = "ATE-Washington-DC getting closer"; +// $city = "June 18th, 2011"; + +// ATE Washington DC, US, Jun 18th 2011 + $locid = 2177566; // New York (Bronx), New York, United States + $eventname = "ATE-New York / Rutgers / Piscataway, NJ"; + $city = "June 20th, 2011"; + + + $query = "select * from `locations` where `id`='$locid'"; + $loc = mysql_fetch_assoc(mysql_query($query)); + + $query = "SELECT ROUND(6378.137 * ACOS(0.9999999*((SIN(PI() * $loc[lat] / 180) * SIN(PI() * `locations`.`lat` / 180)) + + (COS(PI() * $loc[lat] / 180 ) * COS(PI() * `locations`.`lat` / 180) * + COS(PI() * `locations`.`long` / 180 - PI() * $loc[long] / 180)))), -1) AS `distance`, sum(`points`) as pts, `users`.* + FROM `locations` + inner join `users` on `users`.`locid` = `locations`.`id` + inner join `alerts` on `users`.`id`=`alerts`.`memid` + inner join `notary` on `users`.`id`=`notary`.`to` + WHERE (`alerts`.`general`=1 OR `alerts`.`country`=1 OR `alerts`.`regional`=1 OR `alerts`.`radius`=1) + GROUP BY `users`.`id` + HAVING `distance` <= '$maxdist' + ORDER BY `distance` "; + echo $query; + + // comment next line when starting to send mail not only to me + // $query = "select * from `users` where `email` like 'cacerttest%'"; + + $res = mysql_query($query); + $xrows = mysql_num_rows($res); + + while($row = mysql_fetch_assoc($res)) + { + // uncomment next line to send mails ... + sendmail($row['email'], "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1); + } + // 1x cc to events.cacert.org + sendmail("events@cacert.org", "[CAcert.org] $eventname - $city", $lines, "events@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1); + // 1x mailing report to events.cacert.org + sendmail("events@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1); + + // 1x mailing report to Arbitrator of case http://wiki.cacert.org/wiki/Arbitrations/a20090525.1 + sendmail("p.dunkel@cacert.org", "[CAcert.org] $eventname - $city Report", "invitation sent to $xrows recipients.", "support@cacert.org", "", "", "CAcert Events Organisation", "returns@cacert.org", 1); + echo "invitation sent to $xrows recipients.\n"; + +?> diff --git a/scripts/DumpWeakCerts.pl b/scripts/DumpWeakCerts.pl new file mode 100644 index 0000000..85648fe --- /dev/null +++ b/scripts/DumpWeakCerts.pl @@ -0,0 +1,179 @@ +#!/usr/bin/perl +# Script to dump weak RSA certs (Exponent 3 or Modulus size < 1024) according to https://bugs.cacert.org/view.php?id=918 +# and https://wiki.cacert.org/Arbitrations/a20110312.1 + +use strict; +use warnings; + +use DBI; + +my $cacert_db_config; +my $cacert_db_user; +my $cacert_db_password; + +# Read database access data from the config file +eval `cat perl_mysql`; + +my $dbh = DBI->connect($cacert_db_config, $cacert_db_user, $cacert_db_password, { RaiseError => 1, AutoCommit => 0 } ) || die "Cannot connect database: $DBI::errstr"; + +my $sth_certs; +my $sth_userdata; + +my $cert_domid; +my $cert_userid; +my $cert_orgid; +my $cert_CN; +my $cert_expire; +my $cert_filename; +my $cert_serial; + +my $user_email; +my $user_firstname; + +my $reason; + +my @row; + +sub IsWeak($) { + my ($CertFileName) = @_; + + my $ModulusSize = 0; + my $Exponent = 0; + my $result = 0; + + # Do key size and exponent checking for RSA keys + open(CERTTEXT, '-|', "openssl x509 -in $CertFileName -noout -text") || die "Cannot start openssl"; + while (<CERTTEXT>) { + if (/^ +([^ ]+) Public Key:/) { + last if ($1 ne "RSA"); + } + if (/^ +Modulus \((\d+) bit\)/) { + $ModulusSize = $1; + } + if (/^ +Exponent: (\d+)/) { + $Exponent = $1; + last; + } + } + close(CERTTEXT); + if ($ModulusSize > 0 && $Exponent > 0) { + if ($ModulusSize < 1024 || $Exponent==3) { + $result = "SmallKey"; + } + } + + if (!$result) { + # Check with openssl-vulnkey + # This is currently not tested, if you don't know what you are doing leave it commented! + if (system("openssl-vulnkey -q $CertFileName") != 0) { + $result = "openssl-vulnkey"; + } + } + + return $result; +} + +# Select only certificates expiring in more than two weeks, since two weeks will probably be needed as turnaround time +# Get all domain certificates +$sth_certs = $dbh->prepare( + "SELECT `dc`.`domid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ". + " FROM `domaincerts` AS `dc` ". + " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)"); +$sth_certs->execute(); + +$sth_userdata = $dbh->prepare( + "SELECT `u`.`email`, `u`.`fname` ". + " FROM `domains` AS `d`, `users` AS `u` ". + " WHERE `d`.`memid`=`u`.`id` AND `d`.`id`=?"); + +while(($cert_domid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) { + if (-f $cert_filename) { + $reason = IsWeak($cert_filename); + if ($reason) { + $sth_userdata->execute($cert_domid); + ($user_email, $user_firstname) = $sth_userdata->fetchrow_array(); + print join("\t", ('DomainCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n"; + $sth_userdata->finish(); + } + } +} +$sth_certs->finish(); + +# Get all email certificates +$sth_certs = $dbh->prepare( + "SELECT `ec`.`memid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ". + " FROM `emailcerts` AS `ec` ". + " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)"); +$sth_certs->execute(); + +$sth_userdata = $dbh->prepare( + "SELECT `u`.`email`, `u`.`fname` ". + " FROM `users` AS `u` ". + " WHERE `u`.`id`=?"); + +while(($cert_userid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) { + if (-f $cert_filename) { + $reason = IsWeak($cert_filename); + if ($reason) { + $sth_userdata->execute($cert_userid); + ($user_email, $user_firstname) = $sth_userdata->fetchrow_array(); + print join("\t", ('EmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n"; + $sth_userdata->finish(); + } + } +} +$sth_certs->finish(); + +# Get all Org Server certificates, notify all admins of the Org! +$sth_certs = $dbh->prepare( + "SELECT `dc`.`orgid`, `dc`.`CN`, `dc`.`expire`, `dc`.`crt_name`, `dc`.`serial` ". + " FROM `orgdomaincerts` AS `dc` ". + " WHERE `dc`.`revoked`=0 AND `dc`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)"); +$sth_certs->execute(); + +$sth_userdata = $dbh->prepare( + "SELECT `u`.`email`, `u`.`fname` ". + " FROM `users` AS `u`, `org` ". + " WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?"); + +while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) { + if (-f $cert_filename) { + $reason = IsWeak($cert_filename); + if ($reason) { + $sth_userdata->execute($cert_orgid); + while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) { + print join("\t", ('OrgServerCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n"; + } + $sth_userdata->finish(); + } + } +} +$sth_certs->finish(); + +# Get all Org Email certificates, notify all admins of the Org! +$sth_certs = $dbh->prepare( + "SELECT `ec`.`orgid`, `ec`.`CN`, `ec`.`expire`, `ec`.`crt_name`, `ec`.`serial` ". + " FROM `orgemailcerts` AS `ec` ". + " WHERE `ec`.`revoked`=0 AND `ec`.`expire` > DATE_ADD(NOW(), INTERVAL 14 DAY)"); +$sth_certs->execute(); + +$sth_userdata = $dbh->prepare( + "SELECT `u`.`email`, `u`.`fname` ". + " FROM `users` AS `u`, `org` ". + " WHERE `u`.`id`=`org`.`memid` and `org`.`orgid`=?"); + +while(($cert_orgid, $cert_CN, $cert_expire, $cert_filename, $cert_serial) = $sth_certs->fetchrow_array) { + if (-f $cert_filename) { + $reason = IsWeak($cert_filename); + if ($reason) { + $sth_userdata->execute($cert_orgid); + while(($user_email, $user_firstname) = $sth_userdata->fetchrow_array()) { + print join("\t", ('OrgEmailCert', $user_email, $user_firstname, $cert_expire, $cert_CN, $reason, $cert_serial)). "\n"; + } + $sth_userdata->finish(); + } + } +} +$sth_certs->finish(); + +$dbh->disconnect(); diff --git a/scripts/mail-weak-keys.php b/scripts/mail-weak-keys.php new file mode 100644 index 0000000..018bd64 --- /dev/null +++ b/scripts/mail-weak-keys.php @@ -0,0 +1,161 @@ +#!/usr/bin/php -q +<? # Companion script to DumpWeakCerts.pl, takes output and sends a mail to each owner of a weak cert + + function SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) { + $mail_text = +"Dear $owner_name, + +CAcert recently became aware that some of the certificates signed by CAcert pose a security +risk because they are backed by private keys that are vulnerable to attack. + +The security issues identified are: +Private keys with a small key size. These keys are vulnerable to brute force attack. +Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks. +Private keys generated by a compromised version of OpenSSL distributed by Debian. + +You received this email because a certificate issued to you is vulnerable: + +Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN + +To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date. +CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate +Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities. + +You should submit a new Certificate Signing Request of acceptable strength as soon as possible +and replace your existing certificate. + +If you are interested in background information on this change please refer to this document: +http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf + +Kind regards +CAcert Suport Team +"; + mail($cert_email, "[CAcert.org]CAcert Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org"); + } + + function SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) { + $mail_text = +"Dear $owner_name, + +CAcert recently became aware that some of the certificates signed by CAcert pose a security +risk because they are backed by private keys that are vulnerable to attack. + +The security issues identified are: +Private keys with a small key size. These keys are vulnerable to brute force attack. +Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks. +Private keys generated by a compromised version of OpenSSL distributed by Debian. + +You received this email because a certificate issued to you is vulnerable: + +Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN + +To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date. +CAcert will no longer accept vulnerable certificate requests for signing. In future all +client certficates must be backed by private keys with a key length at least 1024 bits +and no other known vulnerabilities. + +This means that you should replace your current certificate with a new one of acceptable strength. +If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'. +If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an +option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certficate +request will be rejected. + +Kind regards +CAcert Suport Team +"; + mail($cert_email, "[CAcert.org]CAcert Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org"); + } + + function SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) { + $mail_text = +"Dear $owner_name, + +CAcert recently became aware that some of the certificates signed by CAcert pose a security +risk because they are backed by private keys that are vulnerable to attack. + +The security issues identified are: +Private keys with a small key size. These keys are vulnerable to brute force attack. +Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks. +Private keys generated by a compromised version of OpenSSL distributed by Debian. + +You received this email because a certificate issued to you is vulnerable: + +Organisation Server Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN + +To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date. +CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate +Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities. + +You should submit a new Certificate Signing Request of acceptable strength as soon as possible +and replace your existing certificate. + +If you are interested in background information on this change please refer to this document: +http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf + +Kind regards +CAcert Suport Team +"; + mail($cert_email, "[CAcert.org]CAcert Organisation Server Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org"); + } + + function SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date) { + $mail_text = +"Dear $owner_name, + +CAcert recently became aware that some of the certificates signed by CAcert pose a security +risk because they are backed by private keys that are vulnerable to attack. + +The security issues identified are: +Private keys with a small key size. These keys are vulnerable to brute force attack. +Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks. +Private keys generated by a compromised version of OpenSSL distributed by Debian. + +You received this email because a certificate issued to you is vulnerable: + +Organisation Client Certificate, Serial $cert_serial, expiring $cert_expire, CN $cert_CN + +To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on $action_date. +CAcert will no longer accept vulnerable certificate requests for signing. In future all +client certficates must be backed by private keys with a key length at least 1024 bits +and no other known vulnerabilities. + +This means that you should replace your current certificate with a new one of acceptable strength. +If you use Firefox or Chrome, select 'Keysize: High Grade' before 'Create Certificate Request'. +If you use Internet Explorer, select 'Microsoft Strong Cryptographic Provider'. If you select an +option that generates a weak key (eg 'Microsoft Base Cryptographic Provider v1.0') your certficate +request will be rejected. + +Kind regards +CAcert Suport Team +"; + mail($cert_email, "[CAcert.org]CAcert Organisation Client Certificate - Urgent Action Required", $mail_text, "From: CAcert Support <support@cacert.org>\nReply-To: returns@cacert.org"); + } + + # Main + + $num_domain = 0; + $num_client = 0; + $num_orgdomain = 0; + $num_orgclient = 0; + $action_date = '2011-04-??'; + $in = fopen("php://stdin", "r"); + while($in_string = rtrim(fgets($in, 255))) { + list($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial) = explode("\t", $in_string); + + if ($cert_type == "DomainCert") { + SendServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date); + $num_domain++; + } else if ($cert_type == "EmailCert") { + SendClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date); + $num_client++; + } else if ($cert_type == "OrgServerCert") { + SendOrgServerCertMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date); + $num_orgdomain++; + } else if ($cert_type == "OrgEmailCert") { + SendOrgClientMail($cert_type, $cert_email, $owner_name, $cert_expire, $cert_CN, $reason, $cert_serial, $action_date); + $num_orgclient++; + } + } + fclose($in); + echo "Mails sent: $num_domain server certs, $num_client client certs, $num_orgdomain Org server certs, $num_orgclient Org client certs.\n"; +?> diff --git a/scripts/perl_mysql.sample b/scripts/perl_mysql.sample new file mode 100644 index 0000000..4800289 --- /dev/null +++ b/scripts/perl_mysql.sample @@ -0,0 +1,6 @@ +# This file contains the data needed to connect to the database to be +# used in perl scripts + +$cacert_db_config = 'DBI:mysql:database=cacert;host=127.0.0.1'; +$cacert_db_user = 'cacert'; +$cacert_db_password = '<put_password_here>';
\ No newline at end of file |